R: R: Postgress SQL connections

Sun Dec 14 20:10:46 CET 2008

It seems to be exactly what is happening.
I have noticed a new think. When the radius crash, the database
administration interface continue showing the connection to the radius.
Using netstat onto the radius server there are no connection to the database
SERVER.
Is it possible?
May be the firewall?

4IT S.r.l.
Massimiliano Tarquini | Amministratore unico

---------------------------------------------------------

Via Udine 30-36, 00161 Roma 

Phone +39 06 97601680

Mobile +39 392 9660669

Fax +39 06 97601683

m.tarquini at 4it.it
www.4it.it
“Il presente messaggio e gli eventuali allegati sono di natura
confidenziale.  Qualora vi fosse pervenuto per
errore, vi preghiamo di cancellarlo immediatamente dal vostro sistema e di
avvisare il mittente. Grazie.”
“This electronic mail transmission and any accompanying attachments contain
confidential information. If you
have received this communication in error, please immediately delete the
E-mail and either notify the sender. 
Thank you.”

-----Messaggio originale-----
Da: freeradius-users-bounces+m.tarquini=4it.it at lists.freeradius.org
[mailto:freeradius-users-bounces+m.tarquini=4it.it at lists.freeradius.org] Per
conto di Alan DeKok
Inviato: domenica 14 dicembre 2008 19.54
A: FreeRadius users mailing list
Oggetto: Re: R: Postgress SQL connections

Massimiliano Tarquini wrote:
> We are using the same freeradius as a proxy and it works fine running onto
a
> different machine.
> The proxy auth the outer EAP-TTLS then asks to the radius to auth the
inner.

  That still isn't a very clear description of the network configuration.

> There is a firewall between the radius and the database (not between the
> proxy and the database). May the firewall cause the problem?

  Yes.

  I've never understood why people put firewalls between critical
network services.  And *then* configure the firewalls to time out
inactive connections.

  In this case, what's happening is this:

 - FreeRADIUS asks the Postgresql client library to open a socket to the
server.
 - it does
 - 10 minutes later, the firewall decides that the TCP connection is
unused, and discards all knowledge of it
 - FreeRADIUS receives a new request, and asks the postgresql client
library to do an SQL query.
 - the postgresql library believes that the connection is still up, and
tries to use it.
 - the firewall discards ALL packets for the connection
 - the kernel blocks all reads && writes that the postgresql client
library tries to do..
 - which then blocks FreeRADIUS.

  In short, configuring the firewall to discard sessions after 10
minutes or so of idle time is bad.  *Especially* because the connections
between FreeRADIUS && the DB are idle for longer than that.

  This is *not* a problem with FreeRADIUS.  You have configured your
firewall so that *it* is blocking the server.  Fix your firewall, or
remove it.

  Nothing else will solve the problem.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

Nessun virus nel messaggio in arrivo.
Controllato da AVG - http://www.avg.com 
Versione: 8.0.176 / Database dei virus: 270.9.17/1846 -  Data di rilascio:
12/12/2008 18.59